so I want to exclude one jar file from a third party war dependency due to cve issues.
I tried a lot of ways like overlay exclude, but it did not help.
Basically, i just want maven to remove that jar transitive dependency in the war file.
Here is my current code:
<dependencies>
<dependency>
<groupId>org.apache.solr</groupId>
<artifactId>solr</artifactId>
<version>4.10.3</version>
<type>war</type>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>3.2.2</version>
<configuration>
<overlays>
<overlay>
<groupId>org.apache.solr</groupId>
<artifactId>solr</artifactId>
<excludes>
<exclude>WEB-INF/lib/commons-fileupload-1.2.1.jar</exclude>
</excludes>
</overlay>
</overlays>
</configuration>
</plugin>
</plugins>
</build>
But when I check the solr war file, the commons-fileupload-1.2.1.jar is still there. I am kind of lost now.
Related
I'm trying to make a fat uber jar that contains all the projects.
If I do "mvn package", I get an uber jar under "blah" project taget folder. (blah project has the main class.)
The uber jar contains all the projects (as folders not jars), but when I run it, it doesn't seem to recognize feature1 & feature2 projects.
parent pom:
<plugins>
<!-- download source code in Eclipse, best practice -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-eclipse-plugin</artifactId>
<version>2.10</version>
<configuration>
<downloadSources>true</downloadSources>
<downloadJavadocs>false</downloadJavadocs>
</configuration>
</plugin>
<!-- Set a compiler level -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.6.1</version>
<configuration>
<source>1.8</source>
<target>1.8</target>
</configuration>
</plugin>
<!-- Maven Shade Plugin -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<version>3.1.1</version>
<executions>
<!-- Run shade goal on package phase -->
<execution>
<phase>package</phase>
<goals>
<goal>shade</goal>
</goals>
<configuration>
<transformers>
<!-- add Main-Class to manifest file -->
<transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
<mainClass>com.a.blah.main</mainClass>
</transformer>
</transformers>
<filters>
<filter>
<artifact>*:*</artifact>
<excludes>
<exclude>META-INF/*.SF</exclude>
<exclude>META-INF/*.DSA</exclude>
<exclude>META-INF/*.RSA</exclude>
</excludes>
</filter>
</filters>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
<modules>
<module>blahtask</module>
<module>feature1</module>
<module>feature2</module>
<module>blahmessaging</module>
<module>blah</module>
</modules>
pom for blah
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.39</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>com.a.blah</groupId>
<artifactId>blahtask</artifactId>
<version>1.0-SNAPSHOT</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>com.a.blah</groupId>
<artifactId>blahmessaging</artifactId>
<version>1.0-SNAPSHOT</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>com.a.fs</groupId>
<artifactId>feature1</artifactId>
<version>1.0-SNAPSHOT</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>com.a.fs</groupId>
<artifactId>feature2</artifactId>
<version>1.0-SNAPSHOT</version>
<scope>compile</scope>
</dependency>
I added dependencies for feature1 & feature2 above so that they are in the uber jar file. Is this wrong?
p.s. blahmessaging, feature1, & feature2 use classes/functions from blahtask.
It's really hard to find maven-shade-plugin examples with multiple projects. Hard to find how their poms files should be and how parent-child should be structured.
It turned out to be service loader issue...
I manually added class names that I'm using for serviceloader in feature1 & feature2 projects.
If you are using serviceloader, here is what I did.
feature1/src/main/resources/META-INF/services/"some super class"
feature2/src/main/resources/META-INF/services/"some super class"
if you open those two with a text editor, there is a sub class name for each that you need for serviceloader. I copied them and appended into the "some super class" file in the jar.
I created a Confluence plugin(A Java application) which has Maven on it and includes some dependencies in the pom.xml as follows: (It needs to use the Google Client Library)
<dependencies>
<dependency>
<groupId>com.google.apis</groupId>
<artifactId>google-api-services-calendar</artifactId>
<version>v3-rev254-1.22.0</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>com.google.api-client</groupId>
<artifactId>google-api-client</artifactId>
<version>1.22.0</version>
<scope>compile</scope>
</dependency>
..... Skip .....
</dependencies>
I also downloaded the Google Client Library and created a "libs" folder at the "src/main/resources/" path in this maven project to store them, and added them as jars in Eclipse as follows:
However, after executed "atlas-debug" to invoke a Confluence instance or "atlas-package" commands, the final exported jar file usually does not include the dependencies/libraries (I found this according to the failed jar file size, it is much smaller than the successful one).
How to make the library files really be included into the exported jar file every time I executed "atlas-debug" or "atlas-package" commands?
You can use the maven-assembly-plugin plugin that will package all your dependency in the jar. You can configure it in the plugins section under the build section in your pom.xml:
<build>
...
<plugins>
...
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-assembly-plugin</artifactId>
<version>2.2.2</version>
<executions>
<execution>
<id>assembly</id>
<phase>package</phase>
<goals>
<goal>single</goal>
</goals>
<configuration>
<descriptorRefs>
<descriptorRef>jar-with-dependencies</descriptorRef>
</descriptorRefs>
<archive>
</archive>
</configuration>
</execution>
</executions>
</plugin>
...
</plugins>
...
</build>
Remember that the dependency configured with <scope>provided</scope> won't be included in the jar.
We are working on a Spring-MVC project in which we use Maven as a dependency management tool, deployed on Apache Tomcat. Currently, we are also integrating Stanford parser, and adding the model libraries is increasing our WAR file's size from 192Mb to 600Mb.
This presents us a problem as we are still in development, and we do deployments on our test system more often and would like to reduce the delay it takes in uploading files.
Is there any way, that we can add those JAR's on our local file-system from which they are referred but not included in the WAR file? Thank you.
POM.xml :
<parent>
<groupId>io.spring.platform</groupId>
<artifactId>platform-bom</artifactId>
<version>1.1.3.RELEASE</version>
<relativePath />
</parent>
<dependencies>
<dependency>
<groupId>edu.stanford.nlp</groupId>
<artifactId>stanford-parser</artifactId>
<version>3.7.0</version>
</dependency>
<dependency>
<groupId>edu.stanford.nlp</groupId>
<artifactId>stanford-corenlp</artifactId>
<version>3.7.0</version>
</dependency>
<dependency>
<groupId>edu.stanford.nlp</groupId>
<artifactId>stanford-corenlp</artifactId>
<version>3.7.0</version>
<classifier>models</classifier>
</dependency>
<dependency>
<groupId>edu.stanford.nlp</groupId>
<artifactId>stanford-corenlp</artifactId>
<version>3.7.0</version>
<classifier>models-german</classifier>
</dependency>
// And other dependencies
<build>
<plugins>
<plugin>
<groupId>com.samaxes.maven</groupId>
<artifactId>minify-maven-plugin</artifactId>
<version>1.7.4</version>
// Plugin configuration
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.8</source>
<target>1.8</target>
<compilerArgument>-Xlint:all</compilerArgument>
<showWarnings>false</showWarnings>
<showDeprecation>true</showDeprecation>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<configuration>
<mainClass>org.test.int1.Main</mainClass>
</configuration>
</plugin>
Did you try scope provided - it should be excluded from the war.
Documentation project object model
You could move these big libraries in the the Tomcat lib folder and don't provide them in the packaged war by specifying them as provided in Maven.
I'm trying to test the overlay functionality of the maven-war-plugin. Basically I need to merge two war projects.
So I defined a war as dependency:
<dependency>
<groupId>my.group.id</groupId>
<artifactId>my-legacy-war-project</artifactId>
<version>${project.version}</version>
<type>war</type>
</dependency>
And then configured the overlay:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<configuration>
<overlays>
<overlay>
<groupId>my.group.id</groupId>
<artifactId>my-legacy-war-project</artifactId>
<targetPath>legacy</targetPath>
</overlay>
</overlays>
</configuration>
</plugin>
But Maven fails to build this project, complaining about this dependency:
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-war-plugin:2.3:exploded (default) on
project my-project: overlay [ id my.group.id:my-legacy-war-project] is
not a dependency of the project. -> [Help 1]
The overlay is supposed to work with Maven 3.0.5? Why the build is complaining about a dependency that's declared?
Not sure why, but using id instead of groupId and artifactId in the overlay worked:
<configuration>
<overlays>
<overlay>
<id>my-legacy-war-project</id>
<targetPath>legacy</targetPath>
</overlay>
</overlays>
</configuration>
I had the same error, but possibly for a different reason, since you are bringing in a war dependency. In my case, I had a war dependency as one overlay, and a jar dependency as another. The build complained about the jar dependency:
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-war-plugin:2.4:war (default-war) on project overlay: overlay [ id com.mycompany:launcher] is not a dependency of the project.
I fixed the error by adding a <type>jar</type> element to my jar overlay. According to the overlay documentation, the default value for type is war, and so the build correctly complained that I did not have a war artifact named launcher.
Here's the working pom for my overlay project:
<project>
<artifactId>overlay</artifactId>
<packaging>war</packaging>
<dependencies>
<dependency>
<groupId>com.mycompany</groupId>
<artifactId>app</artifactId>
<type>war</type>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.mycompany</groupId>
<artifactId>launcher</artifactId>
<scope>provided</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<configuration>
<overlays>
<overlay>
<groupId>com.mycompany</groupId>
<artifactId>app</artifactId>
</overlay>
<overlay>
<groupId>com.mycompany</groupId>
<artifactId>launcher</artifactId>
<type>jar</type> <!-- THIS IS THE FIX -->
</overlay>
</overlays>
</configuration>
</plugin>
</plugins>
</build>
I had the same problem with maven-war-plugin version 2.2 and abuse of duplicate plugin declaration. After unifying them and using Sergio Michels suggestion, now it works fine using version 2.3 of maven-war-plugin.
Before changing:
<plugin>
<artifactId>maven-war-plugin</artifactId>
<version>2.0.2</version>
<configuration>
<dependentWarExcludes>'**/jdbc.properties,**/hibernate.cfg.xml,**/sql-map-config.xml,**/web.xml,WEB-INF/classes/META-INF/**'</dependentWarExcludes>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<configuration>
<warName>my-snapshot</warName>
<overlay>
<overlay>
<id>my-webapp-common</id>
<groupId>xyz.mycompany</groupId>
<artifactId>my-webapp-common</artifactId>
</overlay>
</overlays>
</configuration>
</plugin>
After applying changes:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>2.3</version>
<configuration>
<warName>my-snapshot</warName>
<overlays>
<overlay>
<overlay>
<id>my-webapp-common</id>
<targetPath>legacy</targetPath>
</overlay>
</overlays>
<dependentWarExcludes>'**/jdbc.properties,**/hibernate.cfg.xml,**/sql-map-config.xml,**/web.xml,WEB-INF/classes/META-INF/**'</dependentWarExcludes>
</configuration>
</plugin>
Expanding on the other answers. The problem is to get overlay to use the same id as dependency.
Using $ mvn dependency:list can show you the ID you need. For example:
[INFO] +- com.foo.bar.v2:api:jar:1.0:system
[INFO] \- com.foo.bar.v2:main-server:war:1.0:system
[INFO] \- com.foo.bar.v2:second-server:war:classes:1.0:system
Shows one jar and one war. Note: :jar vs :war is entirely controlled by whether you used <type>war</type> in your dependency. Similarly, :classes (or empty) is entirely controlled by whether you used <classifier>classes</classifier> in your dependency.
You need to get this in alignment with <overlay>. For com.foo.bar.v2:main-server:war:1.0:system listed above, this would be the overlay entry:
<overlay>
<id>com.foo.bar.v2:main-server:war:1.0</id>
<groupId>com.foo.bar.v2</groupId>
<artifactId>main-server</artifactId>
</overlay>
For com.foo.bar.v2:second-server:war:classes:1.0:system, this would be the correct entry:
<overlay>
<id>com.foo.bar.v2:main-server:war:1.0</id>
<groupId>com.foo.bar.v2</groupId>
<artifactId>main-server</artifactId>
<classifier>classes</classifier>
</overlay>
I currently started my JavaEE course at the faculty and I installed Eclipse for JavaEE. I installed JBoss 7.1.1 from the Eclipse Marketplace and I started developing applications, all worked fine.
Now, I reached a point where I need a specific library (Apache Commons IO) that the server has as a module. The point is I need to get this module in the development environment somehow. I added the JAR from the server folder to the WEB-INF/lib folder and as a JAR dependency in my project, but I think there is a more elegant solution.
Is there a way I can automatically add the server modules in the Eclipse environment?
P.S.: I must mention that the project I created is a simple Dynamic Web Project, not the kind of project that the JBoss plugin creates and I intend to stay with this type of project because the course asks to develop this way.
Try to use Maven for your development environment.It may be the answer of your question.
Here are some useful links of Maven
Creation of Dynamic Web project with Maven
Guide to using Eclipse with Maven
The solution was to learn Maven and use the m2eclipse plugin for Eclipse. My final POM is looking like this:
<build>
<sourceDirectory>${basedir}/src</sourceDirectory>
<resources>
<resource>
<directory>${basedir}/src</directory>
<excludes>
</excludes>
</resource>
</resources>
<plugins>
<plugin>
<artifactId>maven-war-plugin</artifactId>
<version>2.3</version>
<configuration>
<warSourceDirectory>${basedir}/WebContent</warSourceDirectory>
<failOnMissingWebXml>false</failOnMissingWebXml>
</configuration>
</plugin>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.0</version>
<configuration>
<source>1.6</source>
<target>1.6</target>
</configuration>
</plugin>
<plugin>
<groupId>org.jboss.as.plugins</groupId>
<artifactId>jboss-as-maven-plugin</artifactId>
<version>7.4.Final</version>
<executions>
<execution>
<phase>install</phase>
<goals>
<goal>deploy</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-io</artifactId>
<version>1.3.2</version>
</dependency>
<dependency>
<groupId>javax</groupId>
<artifactId>javaee-api</artifactId>
<version>7.0</version>
<scope>provided</scope>
</dependency>
</dependencies>